Security Center

• Enforcing a strong password policy
• Applying 2-Factor Authentication
• Sending login data over a secure channel
• Automatically logging out customers after a period of inactivity
• Educating our customers on the risks of business email compromise schemes
• Enforce separation of duties with role-based access that lets you control who can enter, approve, and pay bills.
• Automatically keep a record of all AP activity with a timestamped audit trail that cannot be altered, including original bills, review notes, approvals, payments, and remittance details for each transaction; then easily access that documentation for internal, vendor, and auditor inquiries.

Payment Protections

Network Protections

• BILL uses security software, intrusion detection and prevention appliances, and network monitoring technology to detect and prevent unauthorized electronic access to our servers.

Data Protections

• BILL applies an additional level of encryption to protect access to sensitive customer data from malicious applications.
• We use Transport Layer Security (TLS) and industry standard cipher suites to protect customer data during transit over the internet.
• BILL replicates production data from the primary site to the co-location facility for disaster recovery scenarios.

Physical Protections

• BILL servers and network infrastructure are hosted at secure data center facilities managed by leading certified data center providers.
• All our employees undergo background checks and data security and privacy training.
• We have a formal vendor management program to manage third-party risks.

Compliance Protections

• BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.
• BILL partners with a PCI certified vendor for credit card payments.
• We have adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program, which is designed to prevent the BILL Service from being used for purposes of money laundering, terrorist financing, violating or subverting OFAC sanctions, or for other illegal purposes.

• Do not share passwords, PIN, security tokens or any other account credentials. That includes reusing the same credentials elsewhere or sharing them with another person. Keep them secure.
• Always use strong and unique passwords that are not easily guessable. An 8 characters or longer, random password that contains a combination of upper and lower case letters, numbers and symbols is much harder to break.
• Review account transactions daily and reconcile frequently.
• Avoid using public computers to access your account—even if additional security measures have been taken.
• Practice security principles of least privilege and separation of duties. BILL provides granular, role based access control capabilities in the product. Use them to carefully grant and monitor access. Grant minimal access needed for employees to do the assigned job duties. Promptly remove the access when no longer needed. Assign different roles to different employees so that a single person alone can not compromise the transaction workflow.
• Building a security culture where everyone understands their part in keeping an organization secure goes a long way. Train everyone in the company on best practices in information security, not just financial personnel. Identify regular opportunities to routinely discuss security best practices, such as staff meetings or other group check-ins.
• Set up Multi-Factor Authentication to help further protect your account from unauthorized log-ins.

• Install reputable anti-virus and anti-malware software and update it frequently. Most modern software updates automatically.
• Keep operating systems, browser, and email patches up to date.
• Keep your web browser software up to date by regularly installing the most recent version.
• Use reputable network and desktop firewall solutions.
• Require and monitor that users sign off their computer or employ a lock screen when not in use.
• Consider disabling CD, DVD and USB drives on all computers where these drives are not needed.

Best practices for Accountants/ Employees